diff --git a/ct/pocketid.sh b/ct/pocketid.sh
index b56bbbf9f..fed018fce 100755
--- a/ct/pocketid.sh
+++ b/ct/pocketid.sh
@@ -29,6 +29,12 @@ function update_script() {
     exit
   fi
 
+  # Mandatory as of v2.x.x
+  ENCRYPTION_KEY=$(openssl rand -base64 32)
+  if ! grep -q '^ENCRYPTION_KEY=' /opt/pocket-id/.env; then
+    echo "ENCRYPTION_KEY=$ENCRYPTION_KEY" >> /opt/pocket-id/.env
+  fi
+
   if check_for_gh_release "pocket-id" "pocket-id/pocket-id"; then
     if [ "$(printf '%s\n%s' "$(cat ~/.pocket-id 2>/dev/null || echo 0.0.0)" "1.0.0" | sort -V | head -n1)" = "$(cat ~/.pocket-id 2>/dev/null || echo 0.0.0)" ] &&
       [ "$(cat ~/.pocket-id 2>/dev/null || echo 0.0.0)" != "1.0.0" ]; then
diff --git a/install/pocketid-install.sh b/install/pocketid-install.sh
index b9e9e204d..01fc7d05e 100644
--- a/install/pocketid-install.sh
+++ b/install/pocketid-install.sh
@@ -17,6 +17,8 @@ read -r -p "${TAB3}What public URL do you want to use (e.g. pocketid.mydomain.co
 fetch_and_deploy_gh_release "pocket-id" "pocket-id/pocket-id" "singlefile" "latest" "/opt/pocket-id/" "pocket-id-linux-amd64"
 
 msg_info "Configuring Pocket ID"
+ENCRYPTION_KEY=$(openssl rand -base64 32)
+
 cat <<EOF >/opt/pocket-id/.env
 APP_ENV=production
 APP_URL=https://${public_url}
@@ -24,6 +26,7 @@ TRUST_PROXY=false
 # MAXMIND_LICENSE_KEY=
 PORT=1411
 HOST=0.0.0.0
+ENCRYPTION_KEY=${ENCRYPTION_KEY}
 EOF
 msg_ok "Configured Pocket ID"